In this presentation, we start from a clean disk. We’re going to create this structure :

1

2

3

[EFI]--[Boot Ext4]--[Luks-"CryptDisk"]

[LVM-"lvm-vg"]

[Swap]--[Btrfs/]--[data]

Step by step

Boot from an Ubuntu live DVD or USB stick, and select “Try Ubuntu”.

Create two partitions using GParted included in the live disk. The first partition should be unformatted and should be large enough for root and swap, in my example, this is /dev/sda3. The second partition should be several hundred megabytes big and formatted in ext2 or ext3, it will be unencrypted and mounted to /boot (in my example this is /dev/sda4).In this screenshot, I have an existing unencrypted Ubuntu installation in two partitions: /dev/sda1 and /dev/sda5, highlight in the circle to the left. I have created an unformatted partition in /dev/sda3 and an ext3 partition in /dev/sda4, intended for the encrypted Ubuntu installation, higlighted in the circle to the right:

Create a LUKS container using these commands. Replace /dev/sda3 with the unformatted partition created earlier, and CryptDisk with a name of your choice.

1

2

sudo cryptsetup luksFormat/dev/sda3

sudo cryptsetup luksOpen/dev/sda3 CryptDisk

Inside the mounted LUKS container, create an LVM physical volume, a volume group and two logical volumes. The first logical volume will be mounted at /, and the second one will be used as swap. lvm-vg is the name of the volume group, and ubuntu-root and swap are the names of the logical volumes, you can choose your own.

1

2

3

4

sudo pvcreate/dev/mapper/CryptDisk

sudo vgcreate lvm-vg/dev/mapper/CryptDisk

sudo lvcreate-nubuntu-root-L7.5glvm-vg

sudo lvcreate-nswap-L1glvm-vg

Create filesystems for the two logical volumes: (You can also do this step directly from the installer.)

1

2

sudo mkfs.ext4/dev/mapper/lvm-vg-ubuntu-root

sudo mkswap/dev/mapper/lvm-vg-swap

Install Ubuntu using the graphical installer, choosing manual partitioning. Assign / to /dev/mapper/lvm-vg-ubuntu-root and /boot to the unencrypted partition created in step 2 (in this example,/dev/sda4).

Once the graphical installer is finished, select “continue testing” and open a terminal.

Find the UUID of the LUKS partitions (/dev/sda3 in this case), you will need it later:

Create a file named /etc/initramfs-tools/conf.d/cryptroot in the chrooted environment to contain this line, replacing CryptDisk with the name used to open the LUKS container, and the UUID value with the UUID of the LUKS partition: